the dogesec blog

much post. so knowledge. many intel. very subscribe. wow.

• 

  Using Sigma Rules inside Attack Flows as a Structured Way to Describe an Incident

  tutorial developers analyst April 14, 2025

  Many attacks are described using free text. This happens, then this, then this. Whereas detection rules provide a structured way to represent these descriptions with actionable content. Attack Flows are the perfect vehicle to combine the two approaches.
• 

  Beyond the ATT&CK Matrix: How to Build Dynamic Attack Flows with STIX

  tutorial developers analyst March 17, 2025

  MITRE ATT&CK techniques are useful, but they don’t capture the sequence of an attack. Enter Attack Flows.
• 

  An Introduction pySigma: Converting Sigma Rules to Work with Your SIEM

  tutorial developers February 10, 2025

  Learn how to seamlessly convert Sigma Rules into queries for your SIEM. Follow along with real examples.
• 

  Writing Advanced Sigma Detection Rules: Using Correlation Rules

  analysts tutorial January 13, 2025

  Correlation Rules allow you to detect threats by linking multiple events together based on a meaningful relationship.
• 

  Writing Effective Sigma Detection Rules: A Guide for Novice Detection Engineers

  analysts tutorial December 16, 2024

  Sigma Rules are becoming more widely adopted as the standard detection language. Learning how to write them is not difficult. Let me show you.
• 

  Getting Started with the MITRE ATT&CK Navigator

  analyst tutorial January 15, 2024

  The MITRE ATT&CK Navigator is a very useful tool to explore the MITRE ATT&CK (and other similar frameworks). In this post I take a look what you can do with Navigator and how it works under the hood so that you can use it to model your own ATT&CK-like frameworks.
• 

  How to Build Custom MITRE ATT&CK Content Using Workbench (Step-by-Step Guide)

  analysts tutorial December 11, 2023

  A practical Workbench guide: extend ATT&CK, link objects to techniques, and publish collections other teams and tools can consume.
• 

  STIX Shifter: Turning STIX Patterns into SIEM Queries

  analysts developers tutorial November 13, 2023

  Learn how to translate STIX detection patterns into SIEM queries using STIX Shifter, and convert detections back into STIX Observed Data for evidence and correlation.
• 

  How to Write STIX Indicator Patterns for Real Detection Rules

  analysts developers tutorial October 16, 2023

  Learn how to turn threat intelligence into actionable detection rules. Learn how to build behavioral detection using STIX Patterns, and link sightings to evidence.
• 

  STIX Storage for Developers: Memory, Files, and Databases

  developers tutorial September 18, 2023

  A practical guide to storing and querying STIX 2.1 data using MemoryStore, FileSystemStore, and ArangoDB — with Python examples.
• 

  STIX Extensions in the Wild: How to Add What the Spec Forgot

  analysts developers tutorial August 14, 2023

  How to design and ship STIX 2.1 extensions — new objects, nested props, and bundles — that your consumers will love.
• 

  Schema Chaos and the Art of STIX Maintenance

  developers tutorial July 10, 2023

  All I wanted was EPSS and CVSS to show up in OpenCTI. Instead, I ended up reverse-engineering half its schema and building new STIX Extensions from scratch. Here’s the mildly painful but oddly satisfying journey.
• 

  Your First STIX Objects: A Developer’s Guide to STIX 2.1 with Python

  developers tutorial June 19, 2023

  The fast, code-first way to generate valid STIX 2.1 threat intelligence in Python. Covers SDOs, SCOs, relationships, versioning, and bundling — everything you need to start building and sharing structured intel like a pro.
• 

  Understanding STIX 2.1 Objects: A Foundation for Structured Threat Intelligence

  analysts developers tutorial May 14, 2023

  Forget the 50-page spec. This guide explains STIX 2.1 objects—SDOs, SCOs, SROs, SMOs, and Bundles—in plain English with real threat intel examples.